releaseguard
Scan, harden, sign, and verify release artifacts with ReleaseGuard — the artifact policy engine for dist/ and release/ outputs.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/asiridalugoda/releaseguardReleaseGuard Skill
ReleaseGuard is an artifact policy engine. Use it to scan build outputs for secrets, misconfigurations, and supply-chain risks; harden and fix them; generate SBOMs; sign artifacts; and verify release integrity.
Install ReleaseGuard
Preferred — Homebrew (macOS / Linux, no remote script execution):
brew install Helixar-AI/tap/releaseguard
Alternative — manual download from GitHub Releases (review before running):
# 1. Review the install script before executing:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | less
# 2. If satisfied, run it:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | sh
Alternative — direct binary download (no shell script):
# Replace VERSION, OS, and ARCH as appropriate (linux/darwin, amd64/arm64)
curl -sSfL https://github.com/Helixar-AI/ReleaseGuard/releases/latest/download/releaseguard-VERSION-OS-ARCH.tar.gz \
| tar -xz releaseguard
sudo mv releaseguard /usr/local/bin/releaseguard
Note: The install script is MIT-licensed and open-source at https://github.com/Helixar-AI/ReleaseGuard/blob/main/scripts/install.sh Review it before executing in sensitive environments.
External Services
Some commands interact with external services. This is documented per-command below. No data is sent externally unless you explicitly invoke the relevant flag or mode:
| Feature | External Service | Triggered by |
|---|---|---|
| CVE enrichment | OSV.dev (read-only, no auth) | sbom --enrich-cve or vex |
| Keyless signing | Sigstore / Fulcio (requires OIDC token) | sign --mode keyless |
| Cloud obfuscation | ReleaseGuard Cloud API | obfuscate --level medium/aggressive |
| SLSA Provenance L3 | ReleaseGuard Cloud API | Cloud plan only |
Credentials: Keyless signing requires an OIDC token (available in GitHub Actions, GitLab CI, etc.). Local signing requires a private key file you supply with --key. Cloud features require RELEASEGUARD_CLOUD_TOKEN. No credentials are used by default for check, fix, sbom, pack, report, or verify.
Commands
Check / Scan — releaseguard check <path>
Scan an artifact path and evaluate the release policy. No external network calls.
Trigger phrases: "scan", "check", "audit", "analyze release", "inspect dist", "any secrets", "find vulnerabilities"
releaseguard check <path>
releaseguard check <path> --format json
releaseguard check <path> --format sarif --out results.sarif
releaseguard check <path> --format markdown --out report.md
- Default format:
cli(human-readable) - Other formats:
json,sarif,markdown,html - Exit code 0 = PASS, non-zero = FAIL
Fix — releaseguard fix <path>
Apply safe, deterministic hardening transforms. No external network calls.
Trigger phrases: "fix", "harden", "apply fixes", "remediate", "auto-fix release"
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-asiridalugoda-releaseguard": {
"enabled": true,
"auto_update": true
}
}
}